Top Software Security Failures and What We Can Learn From Them
Software Security is now essential as attacks are growing each year steadily. In 2016 more than 758 million malicious software security attacks occurred.
Shockingly the number of attacks targeting businesses doubled the following year. As an attacker’s approach is becoming more sophisticated, vigilance for software security is needed now more than ever.
Following on from our piece on Simple Steps to Essential Software Testing, we identified that human error plays a part in causing bugs in lines of code. Human error now causes over 90% of all corporate cyber-attacks. It is more crucial than ever to place cybersecurity at the foundation of your software development.
The Emergency Alert System went to all residents within Hawaii. It could very well go down as one of THE most frightening human error mistakes in history. Here we have the perfect example of human error and its catastrophic impact on the population of Hawaii. Over a million people prepared for a life-threatening missile attack, all due to one person’s mistake.
What happened? The FCC admitted to not having ‘reasonable safeguards’ in place to prevent human error.
Let’s take a look at some examples of companies who have had to learn the hard way about human error security breaches.
Top Company Software Security Failures
In 2017 a Bupa employee inappropriately copied and removed customer information from the Bupa database. 500,000 customer’s names, dates of birth and contact information was compromised. Luckily this excluded their medical information. It didn’t stop there, they then tried to sell the customer information on the dark web resulting in Bupa getting fined £175k. With the introduction of GDPR, penalties can now be considerably more! [See the link here >]
The mistake? Over 1000 members of staff had access to these private customer files. Not one staff member flagged the suspicious activity in the database until the advert was identified on the dark web.
eBay was the victim of a deviously simple phishing attack. The hackers managed to steal over 100 employee’s credentials. The hackers used the employee information to infiltrate 145 million customer’s details including passwords, names, email addresses, physical addresses for a whole 229 days. [See the link here >]
It is possible that the stolen employee’s credentials were either from a social engineering attack, a web application vulnerability or cookie vulnerability. [See the link here >]
Like the eBay example, Sony was another victim of a sophisticated phishing attack. This time the top executives were the target. The hackers created an authentic looking fake Apple ID verification email, which led to a phishing site with the aim of stealing the targets Apple login. These passwords were used in conjunction with social media to guess their way into the Sony network. Sony then suffered an enormous wiper malware on its computer networks, causing a minimum of $35 million in damages. Additionally, 100 terabytes of data were stolen and posted online. [See the link here >]
An EE customer, Francesca Bonafede suffered next-level stalker abuse by a crazy ex-partner, who was previously an EE employee.
Without her permission, the ex illegally managed to access Francesca’s home address and bank details. He then visited an EE shop where he requested a new sim and moved the account to a new handset and his home address. All her mobile activity was secretly re-sent and tracked to her stalker without her even knowing. [See the link here >]
EE issued a public response saying the man no longer worked for EE, and internal policies surrounding his departure had not been followed.
What Did All of These Software Security Failures Have in Common?
They were all caused by human error.
Will This Even Affect Me?
Now, you may be thinking this only happens to the big dogs. – Guess again.
Cyber-attacks should be alarming to everyone, and even more so for start-up businesses.
Here are some facts:
60% of small companies go out of business within six months after a cyber-attack.
New businesses are targeted the most with 38 new ransomware variants detected on average each day.
In 2017, 875,000 SMEs across the UK had been affected by a cyber-attack.
For 1 in 10 start-ups, the breach has cost over £10,000.
Why are start-ups so high in the numbers for security fails? It could be due to their infancy and inexperience in security management. It can also be because only 20% of businesses put their staff through any cybersecurity training.
For early-stage start-ups, these facts are alarming. However, don’t lose hope; there is a simple solution. That solution lies in efficient cybersecurity protocols, and it’s easier to implement than you think.
The Solution to Software Security Failures?
As we’ve touched upon, it’s human error that is the primary cause of security breaches.
It is essential that an effective employee training program doesn’t just outline rules around cybersecurity. It must test employee efficiency and knowledge while teaching.
Hut Six is one such company that understands that the best prevention is in employee training.
Train, Test, Track
It’s all well and good providing the training on cybersecurity, but how do you know if your employee was paying attention, and internalising the information?
Hut Six provides simple cloud-based training tutorials that can be played directly from the employee’s desk. The animated and voiced tutorials are not only informative but are interactive too. Engaging the employee and providing the metrics to assess, track and improve their performance throughout the campaign.
Hut Six customise training literature to be specific and relevant to each company and its brand. Tutorials can also include particular company policies. Hut Six even provide users with accurate and definitive actions that apply to their situations which keeps information new and relevant.
Hut Six have devised an end of training test that will allow companies to monitor staff performance. An analysis also ensures a high standard of understanding for every employee.
With the addition of relevant real-life scenarios, employees receive appropriate examples for the business.
Hut Six analyses staff every two weeks to keep knowledge relevant to the latest phishing trends, including any new changes such as GDPR.
Hut Six have designed an easy to view management dashboard showing the organisations’ cyber awareness. It can be focused into departments, profiles and security topics for easy viewing of the company performance.
The test results are easily tracked in the Hut Six programme, and the management dashboard provides a snapshot of your organisation’s security awareness. This generates risk profiles for each user and department.
For many organisations finding the time to implement training, while running a business day to day is difficult. Hut Six have thought of this and condensed each tutorial into 5- 10-minute mini training sessions, once every two weeks.
This not only ensures consistent training but also avoids taking away from employee productivity.
More Than Just a Training Programme
Possibly one of the unique aspects of Hut Six‘s programme is that they understand the human motivations behind the human error. Each campaign has been carefully designed to consider the various motivations behind the behavioural change.
As we’ve seen in the examples above, each human error mistake made can be due to a change in behavioural thinking. It can be technical, social, economic, professional and personal situations that convince people to change their behaviour.
Hut Six cleverly incorporate the psychological behaviour patterns into their training and take cyber security awareness to the next level.
Protect your start-up and its intellectual property and test your employees efficiently and sure up your security.